GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-29 09:05:43 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: xxsh6nrc.exe; Driver: C:\Users\Misiek\AppData\Local\Temp\kwldrpob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 83C43369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83C7CD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\windows\system32\DRIVERS\atksgt.sys section is writeable [0xA0D54300, 0x3B6D8, 0xE8000020] .text C:\windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA0DB0300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Programy\ESET NOD32 Antivirus\ekrn.exe[1788] kernel32.dll!SetUnhandledExceptionFilter 7637F4FB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3108] kernel32.dll!SetUnhandledExceptionFilter 7637F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Programy\Mozilla Firefox\firefox.exe[5388] ntdll.dll!LdrGetProcedureAddress + 26 77C02239 7 Bytes JMP 649BDFF0 C:\Programy\Mozilla Firefox\xul.dll .text C:\Programy\Mozilla Firefox\firefox.exe[5388] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 763793D6 7 Bytes JMP 65149773 C:\Programy\Mozilla Firefox\xul.dll .text C:\Programy\Mozilla Firefox\firefox.exe[5388] kernel32.dll!QueryPerformanceCounter + 13 7637C435 7 Bytes JMP 65149796 C:\Programy\Mozilla Firefox\xul.dll .text C:\Programy\Mozilla Firefox\firefox.exe[5388] kernel32.dll!LoadAppInitDlls + 355 7637F4F6 7 Bytes JMP 649C5F1A C:\Programy\Mozilla Firefox\xul.dll .text C:\Programy\Mozilla Firefox\firefox.exe[5388] GDI32.dll!GetViewportOrgEx + 26C 776D884B 7 Bytes JMP 651496F4 C:\Programy\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74732437] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74715600] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747156BE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [747324B2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74728514] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74724CC8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7472506F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74725144] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74726671] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7472826B] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [747287BA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7472901B] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7472E1BE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[2148] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74724BFA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F319D92B-77E8-4BBE-A45C-502223890FBC}\Connection@Name isatap.{075EE2C9-E4D0-4936-9BA6-65A424C257CB} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{DA40A657-57D5-47A6-A22A-D01E538D8217}?\Device\{F319D92B-77E8-4BBE-A45C-502223890FBC}?\Device\{45D7DEAA-8BA1-42AE-A393-7C5057DBBA82}?\Device\{9A146B5D-5E3B-4040-B728-802E9A4DA8A3}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{DA40A657-57D5-47A6-A22A-D01E538D8217}"?"{F319D92B-77E8-4BBE-A45C-502223890FBC}"?"{45D7DEAA-8BA1-42AE-A393-7C5057DBBA82}"?"{9A146B5D-5E3B-4040-B728-802E9A4DA8A3}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{DA40A657-57D5-47A6-A22A-D01E538D8217}?\Device\TCPIP6TUNNEL_{F319D92B-77E8-4BBE-A45C-502223890FBC}?\Device\TCPIP6TUNNEL_{45D7DEAA-8BA1-42AE-A393-7C5057DBBA82}?\Device\TCPIP6TUNNEL_{9A146B5D-5E3B-4040-B728-802E9A4DA8A3}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158344e1f3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f493 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6b1d969 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6b1d969@00181308d8c0 0x41 0x57 0x44 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{F319D92B-77E8-4BBE-A45C-502223890FBC}@InterfaceName isatap.{075EE2C9-E4D0-4936-9BA6-65A424C257CB} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{F319D92B-77E8-4BBE-A45C-502223890FBC}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x16 0x31 0xAF 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3D 0x28 0xD6 0xDB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158344e1f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f493 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6b1d969 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6b1d969@00181308d8c0 0x41 0x57 0x44 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x16 0x31 0xAF 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3D 0x28 0xD6 0xDB ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----